Search in sources :

Example 1 with CertificatePoliciesExtension

use of sun.security.x509.CertificatePoliciesExtension in project jdk8u_jdk by JetBrains.

the class X509CertSelectorTest method testPolicy.

/*
     * Tests matching on the policy constraints extension contained in the
     * certificate.
     */
private void testPolicy() throws IOException {
    System.out.println("X.509 Certificate Match on certificatePolicies");
    // test encoding of CertificatePoliciesExtension because we wrote the
    // code
    // bad match
    X509CertSelector selector = new X509CertSelector();
    Set<String> s = new HashSet<>();
    s.add(new String("1.2.5.7.68"));
    selector.setPolicy(s);
    checkMatch(selector, cert, false);
    // good match
    DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.32"));
    CertificatePoliciesExtension ext = new CertificatePoliciesExtension(false, in.getOctetString());
    List<PolicyInformation> policies = ext.get(CertificatePoliciesExtension.POLICIES);
    // match on the first policy id
    PolicyInformation policyInfo = (PolicyInformation) policies.get(0);
    s.clear();
    s.add(policyInfo.getPolicyIdentifier().getIdentifier().toString());
    selector.setPolicy(s);
    checkMatch(selector, cert, true);
}
Also used : PolicyInformation(sun.security.x509.PolicyInformation) X509CertSelector(java.security.cert.X509CertSelector) DerInputStream(sun.security.util.DerInputStream) CertificatePoliciesExtension(sun.security.x509.CertificatePoliciesExtension) HashSet(java.util.HashSet)

Example 2 with CertificatePoliciesExtension

use of sun.security.x509.CertificatePoliciesExtension in project jdk8u_jdk by JetBrains.

the class PolicyChecker method processPolicies.

/**
     * Processes certificate policies in the certificate.
     *
     * @param certIndex the index of the certificate
     * @param initPolicies the initial policies required by the user
     * @param explicitPolicy an integer which indicates if a non-null
     * valid policy tree is required
     * @param policyMapping an integer which indicates if policy
     * mapping is inhibited
     * @param inhibitAnyPolicy an integer which indicates whether
     * "any-policy" is considered a match
     * @param rejectPolicyQualifiers a boolean indicating whether the
     * user wants to reject policies that have qualifiers
     * @param origRootNode the root node of the valid policy tree
     * @param currCert the Certificate to be processed
     * @param finalCert a boolean indicating whether currCert is the final
     * cert in the cert path
     * @return the root node of the valid policy tree after modification
     * @exception CertPathValidatorException Exception thrown if an
     * error occurs while processing policies.
     */
static PolicyNodeImpl processPolicies(int certIndex, Set<String> initPolicies, int explicitPolicy, int policyMapping, int inhibitAnyPolicy, boolean rejectPolicyQualifiers, PolicyNodeImpl origRootNode, X509CertImpl currCert, boolean finalCert) throws CertPathValidatorException {
    boolean policiesCritical = false;
    List<PolicyInformation> policyInfo;
    PolicyNodeImpl rootNode = null;
    Set<PolicyQualifierInfo> anyQuals = new HashSet<>();
    if (origRootNode == null)
        rootNode = null;
    else
        rootNode = origRootNode.copyTree();
    // retrieve policyOIDs from currCert
    CertificatePoliciesExtension currCertPolicies = currCert.getCertificatePoliciesExtension();
    // PKIX: Section 6.1.3: Step (d)
    if ((currCertPolicies != null) && (rootNode != null)) {
        policiesCritical = currCertPolicies.isCritical();
        if (debug != null)
            debug.println("PolicyChecker.processPolicies() " + "policiesCritical = " + policiesCritical);
        try {
            policyInfo = currCertPolicies.get(CertificatePoliciesExtension.POLICIES);
        } catch (IOException ioe) {
            throw new CertPathValidatorException("Exception while " + "retrieving policyOIDs", ioe);
        }
        if (debug != null)
            debug.println("PolicyChecker.processPolicies() " + "rejectPolicyQualifiers = " + rejectPolicyQualifiers);
        boolean foundAnyPolicy = false;
        // process each policy in cert
        for (PolicyInformation curPolInfo : policyInfo) {
            String curPolicy = curPolInfo.getPolicyIdentifier().getIdentifier().toString();
            if (curPolicy.equals(ANY_POLICY)) {
                foundAnyPolicy = true;
                anyQuals = curPolInfo.getPolicyQualifiers();
            } else {
                // PKIX: Section 6.1.3: Step (d)(1)
                if (debug != null)
                    debug.println("PolicyChecker.processPolicies() " + "processing policy: " + curPolicy);
                // retrieve policy qualifiers from cert
                Set<PolicyQualifierInfo> pQuals = curPolInfo.getPolicyQualifiers();
                // the policyQualifiersRejected flag is set in the params
                if (!pQuals.isEmpty() && rejectPolicyQualifiers && policiesCritical) {
                    throw new CertPathValidatorException("critical policy qualifiers present in certificate", null, null, -1, PKIXReason.INVALID_POLICY);
                }
                // PKIX: Section 6.1.3: Step (d)(1)(i)
                boolean foundMatch = processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, curPolicy, pQuals, false);
                if (!foundMatch) {
                    // PKIX: Section 6.1.3: Step (d)(1)(ii)
                    processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, curPolicy, pQuals, true);
                }
            }
        }
        // PKIX: Section 6.1.3: Step (d)(2)
        if (foundAnyPolicy) {
            if ((inhibitAnyPolicy > 0) || (!finalCert && X509CertImpl.isSelfIssued(currCert))) {
                if (debug != null) {
                    debug.println("PolicyChecker.processPolicies() " + "processing policy: " + ANY_POLICY);
                }
                processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, ANY_POLICY, anyQuals, true);
            }
        }
        // PKIX: Section 6.1.3: Step (d)(3)
        rootNode.prune(certIndex);
        if (!rootNode.getChildren().hasNext()) {
            rootNode = null;
        }
    } else if (currCertPolicies == null) {
        if (debug != null)
            debug.println("PolicyChecker.processPolicies() " + "no policies present in cert");
        // PKIX: Section 6.1.3: Step (e)
        rootNode = null;
    }
    // resulting in a null tree
    if (rootNode != null) {
        if (!finalCert) {
            // PKIX: Section 6.1.4: Steps (a)-(b)
            rootNode = processPolicyMappings(currCert, certIndex, policyMapping, rootNode, policiesCritical, anyQuals);
        }
    }
    if ((rootNode != null) && (!initPolicies.contains(ANY_POLICY)) && (currCertPolicies != null)) {
        rootNode = removeInvalidNodes(rootNode, certIndex, initPolicies, currCertPolicies);
        // PKIX: Section 6.1.5: Step (g)(iii)
        if ((rootNode != null) && finalCert) {
            // rewrite anyPolicy leaf nodes (see method comments)
            rootNode = rewriteLeafNodes(certIndex, initPolicies, rootNode);
        }
    }
    if (finalCert) {
        // PKIX: Section 6.1.5: Steps (a) and (b)
        explicitPolicy = mergeExplicitPolicy(explicitPolicy, currCert, finalCert);
    }
    if ((explicitPolicy == 0) && (rootNode == null)) {
        throw new CertPathValidatorException("non-null policy tree required and policy tree is null", null, null, -1, PKIXReason.INVALID_POLICY);
    }
    return rootNode;
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) PolicyInformation(sun.security.x509.PolicyInformation) PolicyQualifierInfo(java.security.cert.PolicyQualifierInfo) CertificatePoliciesExtension(sun.security.x509.CertificatePoliciesExtension) IOException(java.io.IOException)

Example 3 with CertificatePoliciesExtension

use of sun.security.x509.CertificatePoliciesExtension in project jdk8u_jdk by JetBrains.

the class PolicyChecker method removeInvalidNodes.

/**
     * Removes those nodes which do not intersect with the initial policies
     * specified by the user.
     *
     * @param rootNode the root node of the valid policy tree
     * @param certIndex the index of the certificate being processed
     * @param initPolicies the Set of policies required by the user
     * @param currCertPolicies the CertificatePoliciesExtension of the
     * certificate being processed
     * @returns the root node of the valid policy tree after modification
     * @exception CertPathValidatorException Exception thrown if error occurs.
     */
private static PolicyNodeImpl removeInvalidNodes(PolicyNodeImpl rootNode, int certIndex, Set<String> initPolicies, CertificatePoliciesExtension currCertPolicies) throws CertPathValidatorException {
    List<PolicyInformation> policyInfo = null;
    try {
        policyInfo = currCertPolicies.get(CertificatePoliciesExtension.POLICIES);
    } catch (IOException ioe) {
        throw new CertPathValidatorException("Exception while " + "retrieving policyOIDs", ioe);
    }
    boolean childDeleted = false;
    for (PolicyInformation curPolInfo : policyInfo) {
        String curPolicy = curPolInfo.getPolicyIdentifier().getIdentifier().toString();
        if (debug != null)
            debug.println("PolicyChecker.processPolicies() " + "processing policy second time: " + curPolicy);
        Set<PolicyNodeImpl> validNodes = rootNode.getPolicyNodesValid(certIndex, curPolicy);
        for (PolicyNodeImpl curNode : validNodes) {
            PolicyNodeImpl parentNode = (PolicyNodeImpl) curNode.getParent();
            if (parentNode.getValidPolicy().equals(ANY_POLICY)) {
                if ((!initPolicies.contains(curPolicy)) && (!curPolicy.equals(ANY_POLICY))) {
                    if (debug != null)
                        debug.println("PolicyChecker.processPolicies() " + "before deleting: policy tree = " + rootNode);
                    parentNode.deleteChild(curNode);
                    childDeleted = true;
                    if (debug != null)
                        debug.println("PolicyChecker.processPolicies() " + "after deleting: policy tree = " + rootNode);
                }
            }
        }
    }
    if (childDeleted) {
        rootNode.prune(certIndex);
        if (!rootNode.getChildren().hasNext()) {
            rootNode = null;
        }
    }
    return rootNode;
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) PolicyInformation(sun.security.x509.PolicyInformation) IOException(java.io.IOException)

Aggregations

PolicyInformation (sun.security.x509.PolicyInformation)3 IOException (java.io.IOException)2 CertPathValidatorException (java.security.cert.CertPathValidatorException)2 CertificatePoliciesExtension (sun.security.x509.CertificatePoliciesExtension)2 PolicyQualifierInfo (java.security.cert.PolicyQualifierInfo)1 X509CertSelector (java.security.cert.X509CertSelector)1 HashSet (java.util.HashSet)1 DerInputStream (sun.security.util.DerInputStream)1